Synergyse Training was purchased for all Mozilla users for the Gmail migration project. As this is a marketplace app that we need to install on our Enterprise Google account - we would like someone from Security to check it before we install it.
Julien Vehent Nov 3 (2 days ago) to me, David Thanks Jen, Their security doc states that "Synergyse only has access to view your user's email addresses & organizational unit". That's low risk, all that data is mostly public anyway. And I don't see any vector of exploitation in their workflow that would reduce the security of gmail itself. From a security point of view, it's good to go. You may want to capture this is a bug and link the security doc for future ref. Thanks (and sorry again for the late reply). Julien On Mon 3.Nov'14 at 16:54:58 -0800, Jennifer Hayashi wrote: > Hi Julien - > > Here's the documentation I received from the vendor. I'll also forward > the questionnaire you sent to the vendor and get back to you as soon as I > hear back. A little background, we've already purchased this video > training, legal signed off on the contract -- but since the install does > require some information to be exchanged - we thought it best to have > someone from Security to verify there's no glaring issues before we deploy > it out to the entire company. > > > Hope that helps, > Jen > > > ---------- Forwarded message ---------- > From: Jennifer Hayashi <email@example.com> > Date: Wed, Oct 29, 2014 at 11:49 AM > Subject: Fwd: Synergyse install > To: "Stevensen, Joe" <firstname.lastname@example.org> > Cc: "Lim, Edward" <email@example.com> > > > Hi Joes - > > This is the video training that we'll be enabling in Google. In order to > set this up, we need to add the Synergyse App to the domain which will then > be authorized to grab certain information from our Google domain. Can you > take a quick look at these and let us know whether you see any glaring > problems? If not, we want to enable it this week. > > I've enabled this in our test environment if anyone wants to test it out. > > Thanks! > jen
This was installed in production. Submitting this bug for future reference.